|
|
Posted by Ivαn Sαnchez Ortega on 04/23/06 01:14
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cruella DeVille wrote:
> I must have som errors in my understanding of strip- vs addslashes.
> I thought that if a user submitted eg a username, like this
> username=siv' drop database test; I should addslashes to escape ' and "
> and therefore prohibit the evil user to drop/change my database through
> sql injection (my example may not be correct, but I believe it points
> out that evil user can add sql commands through an input field.
I recommend not to use addslashes to escape DB queries - please use specific
functions to do that job (such as mysql_real_escape() or pg_escape_string()
IIRC).
The reason for this? Different DB engines may have different quoting
conventions. If you read the MySQL and PostgreSQL manuals throughoutly,
you'll see that the SQL standard is to escape single quotes by doubling
them (a single quote becomes two single quotes, not a double quote).
A backslash-and-single quote may not be recognized by a particular SQL
engine. So, avoid using addslashes() if possible, and read the
documentation of the DB engine you're using.
> But - I've been reading lots of code lately, and I see that others use
> stripslashes insted of addslashes. And my question is why. What did I
> miss? Has it something to do with gpc_magic_quotes?
Yep, magic quotes may turn data entered by the user into a gibberish of
\\\\\'. That's why people often stripslashes() the input data.
You can safely disable gpc_magic_quotes, or even stripslashes() the input
data. But only if you do check the input data, and escape it before
inputting to the DB, eval()ing it, or do any other potentially dangerous
stuff with it.
I repeat: never ever trust the user input. Always do double check that your
code escapes, checks, or cleans it. Every bit of it.
- --
- ----------------------------------
IvΓ‘n SΓ‘nchez Ortega -i-punto-sanchez--arroba-mirame-punto-net
Fear leads to anger.
Anger leads to hate.
Hate leads to using Windows NT for mission-critical applications.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFESqqu3jcQ2mg3Pc8RAmVQAJ47/e2mgu6IfX1jId13lAOzF4XU8ACgiDp7
mDFjhe5U6FEdOdwGsd2EHZw=
=QD14
-----END PGP SIGNATURE-----
Navigation:
[Reply to this message]
|